I'm thinking of equipping the door to my house with an RFID-reader and a custom arduino-like board to do the authentication.

My question is what is the recommended security level for a normal house (in Europe) lock? I'm thinking that i might need a PIN or other additional measures so that if someone finds my wallet with my rfid-card, they won't be able to gain access to my house.

You may be interested in this question security.stackexchange.com/questions/6719 The delay between attempts and the lockout period may be more important than the PIN length if you have to enter the PIN manually (with your fingers).
–
this.joshSep 1 '11 at 7:28

3 Answers
3

For home locks, I think that the proper way to analyze it is to think about money, and more specifically insurance. You put the kind of lock that will please your insurance company; with a custom lock, chances are that your insurance company will ask for more money every month -- or refuse to give you money if you are burgled (even if the burglar came in through, say, a window).

About PIN: PIN codes usually have relatively low entropy (only 10000 combinations with 4 decimal digits) and rely on auto-locking (e.g. the system which expects the PIN locks itself out after three wrong PINs). For a home door, this is not very good: you do not want to be locked out of your home because someone came by and idly played with the available keyboard. So you would need a relatively large PIN code, e.g. 8 digits. Also, PIN codes are susceptible to side-channel leakage: if you type the same code every day, the involved keys are likely to experience premature wear, revealing which digits are used in the PIN code.

You probably want to be able to enter your home even in case of a power shortage -- and you do not want to have your door opening automatically in that situation (see the Die Hard movie for an illustration). For that reason alone, I would recommend against your idea.

I like this answer. I recently was in a conversation about bike locks, which although made of pretty hard steel, are often easy to crack with bump keys. I recommended the usage of $20-flea-market-bikes in areas where it is likely that bikes get stolen instead of buying a $100 lock that can't protect your $1000 bike... Of course this doesn't apply to houses where naturally most of your stuff is stored. So insurance clearly is the better option there.
–
Kevin D.Sep 1 '11 at 9:17

5

Your point about a power outage is a good one. However, in the case of a fire causing loss of power, having the door remaining locked would also be undesirable.
–
JS1Sep 1 '11 at 12:01

1

For authentication failure lockout: I think many cipher locks have built-in temporary lockout policies, but these usually only last for a few seconds before resetting. For power failures: Many cipher lock systems also have battery backups that will last for some hours or more, and it's usually a matter of how they're installed which will determine whether they will "fail safe" or "fail secure".
–
IsziSep 1 '11 at 13:08

2

A door lock has a functional conflict between providing security (staying closed as much as possible) and providing safety (opening quickly in an emergency).
–
this.joshSep 1 '11 at 23:12

1

Those RFID locks tend to have a fail-save button so you can always get out. Look for that. Also, the one we have works without external power supply, so thats also no problem. However, the premier concern remains the insurance, as Thomas pointed out. The lock will most likely be insecure anyway, the question is what the insurance thinks about it. Many current RFID systems simply broadcast static codes, and the challenge-response types have repeatedly been shown to use weak crypto.
–
pepeSep 2 '11 at 8:53

Can't be much worse than my garage door opener, whose remote just has a button on it. Everything depends on the implementation, but just doing something a little different will ward off anyone but a determined attacker, and there's no defeating a determined attacker.

By the way, door locks can't possibly be the most important security concern. Just guessing here, but do you have (glass) windows? Are your hinges on the inside of the door? Do you have a reinforced door jamb that can't just be kicked or knocked in with that little battering ram thingy the cops use?

In the end, I agree with Thomas - do whatever your insurance company will give you the biggest discount for and worry about something else. :-)

RFID is a very broad term. There are active (powered) RFID tokens and passive RFID tokens. Most likely you are thinking of passive (backscatter) RFID. The next thing to think of is the range. Common commercial RFID dongle systems use the HF band and have very limited range.

I only have experience with UHF RFID readers (915 MHz North America). These readers can pump out 4W EIRP (36 dBm). They need to pump out a lot of power to get range, because the passive RFID chip uses that power to transmit a response (backscatter) back to the interrogator.

The implication is that a lurker could use a large directional antenna with very high gain and snoop the response. I'm 5 years out of date, but when EPC Gen 2 came out most of the UHF passive tags didn't stop this kind of lurking.

Now back on topic:

Who is really going to go to the trouble to cobble obscure RFID gear to sniff your RFID tag?

How much money would they have to spend to go to this trouble? (does it make the next house more inviting)

Losing your token: You should be able to remotely disable tokens to minimize this problem. This is better than the situation of someone stealing your key, because you can revoke your token a lot easier than your key.

Most electronic locks can be setup with a failure mode that makes them fall back to a normal physical lock. For example, having the electronic part release the strike plate would allow you to open the door with a key or by using an electronic method.

There are some Zwave manufacturers that make electronic deadbolts, like Schalge that allow you to bridge your Zwave devices to your home network (opening up things like using your smart phone to unlock your door from anywhere)